Instructions for

Configure Direct Authentication grant types

Use this guide to implement a direct authentication multifactor one-time-passcode (MFA OTP) flow for your app.

Learning outcomes

Understand the OAuth 2.0 direct authentication MFA OTP flow.
Set up your app with the MFA OTP grant type.
Implement the MFA OTP flow in Okta.

What you need

Okta Developer Edition organization (opens new window)
An app that you want to implement OAuth 2.0 direct authentication MFA OTP with Okta
A test user in your org that's enrolled in an authenticator like Google Authenticator
The Direct Authentication feature enabled for your org. Contact Okta Support (opens new window) to enable this EA feature.
The super admin role assigned to you. When you create an app, or update an existing app, you must have super admin permissions to enable direct authentication grant types.

Note: Okta's Developer Edition makes most key developer features available by default for testing purposes. Okta's API Access Management product — a requirement to use Custom Authorization Servers — is an optional add-on in production environments.

About the direct authentication

MFA OTP
grant

Use direct authentication when you want your application to directly authenticate users. For example, you don't want to delegate authentication to an IdP or authorization server using an HTTP redirect in a web browser. While delegating authentication is preferred, use direct authentication in situations where there's a high degree of trust between the user and your app.

Also, you can use direct authentication where usability constraints hinder the use of browser-based flows, such as mobile applications.

Note:

See About MFA authenticators (opens new window) for more information on authenticators, and primary and secondary factors.

See Configure a global session policy and authentication policies (opens new window) for more information on configuring primary and secondary factor conditions.

Grant-type flow

Direct Authentication MFA OTP flow

Sequence diagram that displays the back and forth between the resource owner, client app, and authorization server for MFA OTP flow"

At a high level, this flow has the following steps:

Your client app prompts the user for their username and password in the app interface.
The user enters their credentials.
Your app sends the user's credentials and the Resource Owner Password grant type (grant_type=password) to the Okta authorization server /token endpoint.

Register your app so that Okta can accept the authorization request. See Set up your app to register and configure your app with Okta. After registration, your app can make an authorization request to Okta. See Request for tokens.
Okta sends an HTTP 403 error that MFA is required and includes the mfa_token value in the response.
Your app prompts the user for an OTP in the app interface.
The user obtains the OTP from their device authenticator and enters it into the app interface.
Your app sends the following parameters in a /token request to the Okta authorization server:
- otp
- mfa_token
- grant_type=http://auth0.com/oauth/grant-type/mfa-otp
Note: See the MFA OTP grant type (opens new window) on the /token page. To view specific MFA OTP grant information, select http://auth0.com/oauth/grant-type/mfa-otp from the grant_type dropdown list.
If the OTP and mfa_token are accurate, Okta responds with the requested tokens.

Enable authenticators for your org

Direct authentication grant type flows use passwordless authentication, such as using Okta Verify and SMS. To use the direct authentication

flow, you must enable a non-password authenticator like

Open the Admin Console for your org.
Go to Security > Authenticators to view the available authenticators.
Do the following if

Google Authenticator or Okta Verify
isn't in the list:
- Click Add authenticator.
- Click Add on the authenticator tile, and then click Add in the next dialog.
- Verify the status of the authenticator.
  - Select the Enrollment tab.
  - Identify the authenticator and verify that the authenticator is set to either Optional or Required in the Eligible authenticators section of the Default Policy.
- If the authenticator is set to Disabled, enable the authenticator.
  - Click Edit for the Default Policy.
  - Select Optional from the dropdown box for the authenticator.
  - Click Update Policy.

Set up your authorization server

To use the

flow, both your client app and the Okta authorization server used with the app must have the

grant type enabled.

If your Okta org uses Identity Engine, then the

grant type is automatically configured in your org authorization server. For custom authorization servers used with your app, you must enable

In the Admin Console, go to Security > API.
On the Authorization Servers tab, click the pencil icon next to the authorization server that you want to use.
Select the Access Policies tab.
Click the pencil icon from the Actions column for the Default Policy Rule to access the Edit Rule dialog.

Note: If you're using a different policy for your app, edit that policy instead.
Click Advanced in the IF Grant type is section.
Select

MFA OTP
in the Okta direct auth API grants section (in addition to any other grant type that is already supported).
Click Update Rule.

Set up your app

Before you can implement authorization, you need to register your app in Okta by creating an app integration from the Admin Console.

Note: When you create or update an app, you must have super admin permissions to enable direct authentication grant types.

Open the Admin Console for your org.
Select Applications > Applications to view the current app integrations.
Click Create App Integration.
Select
OIDC - OpenID Connect
as the Sign-in method.
Select Native Application as the Application type, then click Next.
Specify the App integration name.
Click Advanced in the Grant type section and select the

Resource Owner Password and MFA OTP grant types
in addition to the defaults.
Select Allow everyone in your organization to access, then click Save.
From the General tab of your app integration, copy and save the generated Client ID value to implement your authorization flow.

Set up the authentication policy

In direct authentication flows, the client specifies a grant type that indicates the type of authenticator being used. However, the server can't grant a token until the client’s authentication policy is satisfied.

Note: This example creates a new app authentication policy with a

two-factor rule
for testing purposes.

Go to your app’s Sign On tab, scroll to the bottom, and click View policy details.
Click Actions on the right of the Default Policy title and select Clone policy.
Click Actions again and select Edit name and description.
Name the policy (for example,
Direct Auth MFA OTP 2FA
) and click Save.
Click Add a rule, name it (for example,
2 MFA OTP Factor
).
Specify your test user for AND User is.
Skip down to AND User must authenticate with and select
Password + Another factor
, and then click Save.
Open the application that you just created and select the Sign On tab.
Scroll to the User authentication section at the bottom and click Edit.
Select the authentication policy that you just created and click Save.

Flow specifics

The following sections outline the requests required to implement the MFA OTP flow using direct calls to the Okta OpenID Connect & OAuth 2.0 API.

Request for tokens

Before you can begin this flow, collect the username and password from the user in a manner of your choosing. Then, make an API call to the Okta authorization server /token endpoint using the Resource Owner Password grant type. Your request should look something like this:

curl --request POST \
  --url https://{yourOktaDomain}/oauth2/v1/token \
  --header 'accept: application/json' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data 'client_id={client_id}&scope=openid%20profile&grant_type=password&username={testuser%40example.com}&password={userpassword}'

Note the parameters that are passed:

client_id: Matches the client ID of the application that you created in the Set up your app section. You can find it at the top of your app's General tab.
scope: Must be at least openid. If you're using a custom authorization server, see the Create Scopes section of the Create an authorization server guide.
grant_type: password, which indicates that you're using the Resource Owner Password grant type.
username: The email username of a registered Okta user.
password: The password of the matching user.

Not used in this example:

grant_types_supported: (Optional) A list of grant types that the client supports. Some clients aren't able to support all grant types. Use this parameter to specify to Okta that the included grant types are all that the client supports. This allows Okta to return an error if the provided grant types don't satisfy the access policy.

For more information on these parameters, see the /token endpoint (opens new window).

Response

Since this is a two-factor flow, Okta sends an HTTP 403 error and includes the mfa_token in the response. The mfa_token is a unique token used for identifying multifactor authentication flows to link the request to the original authentication flow.

    {
        "error": "mfa_required",
        "error_description": "Verify with an additional authenticator to complete the sign-in process.",
        "mfa_token": "F5snZpk1UBRKHYR6N7Mh"
    }

Second token request

Your app prompts the user for an OTP in the app UI. The user obtains the OTP and enters it into the app interface. Your app then makes a /token request to the authorization server:

curl --request POST \
  --url https://{yourOktaDomain}/oauth2/v1/token \
  --header 'accept: application/json' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data 'client_id={client_id}&scope=openid profile&grant_type=http://auth0.com/oauth/grant-type/mfa-otp&otp={otp_value}&mfa_token={mfa_token_value}'